Re: [exim] Spoofed email address in From: header

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-users
Temat: Re: [exim] Spoofed email address in From: header
web@??? <web@???> (Mi 01 Mai 2013 12:35:38 CEST):
> Hello
>
> I'm dealing with spoofed email addresses in From header of emails I've
> recive.
>
> Here are sample headers of such message:
>
> Return-path: <fountains7@???>


> Date:Tue, 30 Apr 2013 21:25:08 -0400
> From: <<my.email@???>>


> Until today I've successfuly denied messages with from like this:
> From: my.email@???


I'd not reject such messages, it is not illegal to see ones own address
in some From: header line. Your secretary might send such messages in
your name (but with sender: set to her address).

> I used such ACL rules to stop spoofed email:
>
>          condition = ${if or {\
>          {match_domain{${domain:$rh_from:}}{+local_domains}}\
>          {match_domain{${domain:${address:$rh_from:}}}{+local_domains}}\
>          {match_domain{${domain:${reduce{${addresses:$h_from:}}{}{$item}}}}{+local_domains}}\
>          {match_domain{${domain:${reduce{${addresses:$h_from:}}{}{${if
> eq{$value}{}{$item}{$value}}}}}}{+local_domains}}\
>          }{yes}{no}}


Looks "write only" to me. But you could enforce correct header lines for
your incoming mails:

    require verify = header_syntax
            verify = header_sender


… before you apply your above condition.
(Check the relevant spec parts to be sure :))

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-